1,579 packages. That's the confirmed count of AUR entries infected with malware in this week's Arch Linux security incident — and the developers admit the list doesn't capture everything.
The Scale: 1,579 Packages and Counting What started as 400 compromised packages ballooned to ~900 mid-day, then settled at 1,579 by the evening. Arch Linux developers posted a (https://www.phoronix.com/news/Arch-Linux-AUR-More-Than-1500) of affected AUR packages, but even that final note warns it's "a list containing many (but not all) of the affected packages." For a user repository that prides itself on community contributions, this is a worst-case stress test of trust.
How the Cleanup Unfolded By the end of the day, developers claimed all malicious commits have been deleted. The thread's last message states they've removed every known bad commit. That's a fast response for a distribution that can't exactly afford to shut down its primary package source for non-official software. But with 1,579+ packages touched, the cleanup is more about containment than proof of zero residual risk.
What This Means for AUR Trust The AUR's strength — anyone can submit a PKGBUILD — is also its vulnerability. No automated signing, no mandatory code review for every submission. When a malicious actor gets enough commits in, the blast radius is thousands of packages. Arch users now face a painful trust recalibration: do you rebuild your system from official repos only, or audit every AUR package you depend on? The incident underscores why distributions like Fedora Copr and openSUSE Build Service enforce stronger identity verification. Arch's maintainers have their work cut out if they want to prevent a repeat. Arch Linux's response set a speed benchmark for crisis containment. But the real test is whether the community can rebuild confidence in a repository where one bad commit can poison 1,579 packages.
Source: Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Packages
Domain: phoronix.com
Comments load interactively on the live page.